redis auth

Author: Snawoot

auth/auth.go

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"context"
 	"errors"
 	"net/http"
 	"net/url"
@@ -10,7 +11,7 @@ import (
 )
 
 type Auth interface {
-	Validate(wr http.ResponseWriter, req *http.Request) (string, bool)
+	Validate(ctx context.Context, wr http.ResponseWriter, req *http.Request) (string, bool)
 	Stop()
 }
 
@@ -29,6 +30,10 @@ func NewAuth(paramstr string, logger *clog.CondLogger) (Auth, error) {
 		return NewHMACAuth(url, logger)
 	case "cert":
 		return NewCertAuth(url, logger)
+	case "redis":
+		return NewRedisAuth(url, false, logger)
+	case "redis-cluster":
+		return NewRedisAuth(url, true, logger)
 	case "none":
 		return NoAuth{}, nil
 	default:

auth/basic.go

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"context"
 	"encoding/base64"
 	"errors"
 	"fmt"
@@ -114,7 +115,7 @@ func (auth *BasicAuth) reloadLoop(interval time.Duration) {
 	}
 }
 
-func (auth *BasicAuth) Validate(wr http.ResponseWriter, req *http.Request) (string, bool) {
+func (auth *BasicAuth) Validate(_ context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
 	hdr := req.Header.Get("Proxy-Authorization")
 	if hdr == "" {
 		requireBasicAuth(wr, req, auth.hiddenDomain)

auth/cert.go

@@ -3,6 +3,7 @@ package auth
 import (
 	"bufio"
 	"bytes"
+	"context"
 	"encoding/hex"
 	"errors"
 	"fmt"
@@ -65,7 +66,7 @@ func NewCertAuth(param_url *url.URL, logger *clog.CondLogger) (*CertAuth, error)
 	return auth, nil
 }
 
-func (auth *CertAuth) Validate(wr http.ResponseWriter, req *http.Request) (string, bool) {
+func (auth *CertAuth) Validate(_ context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
 	if req.TLS == nil || len(req.TLS.VerifiedChains) < 1 || len(req.TLS.VerifiedChains[0]) < 1 {
 		http.Error(wr, BAD_REQ_MSG, http.StatusBadRequest)
 		return "", false

auth/common.go

@@ -2,10 +2,13 @@ package auth
 
 import (
 	"crypto/subtle"
+	"errors"
 	"net"
 	"net/http"
 	"strconv"
 	"strings"
+
+	"github.com/tg123/go-htpasswd"
 )
 
 func matchHiddenDomain(host, hidden_domain string) bool {
@@ -28,3 +31,16 @@ func requireBasicAuth(wr http.ResponseWriter, req *http.Request, hidden_domain s
 		wr.Write([]byte(AUTH_REQUIRED_MSG))
 	}
 }
+
+func makePasswdMatcher(encoded string) (htpasswd.EncodedPasswd, error) {
+	for _, p := range htpasswd.DefaultSystems {
+		matcher, err := p(encoded)
+		if err != nil {
+			return nil, err
+		}
+		if matcher != nil {
+			return matcher, nil
+		}
+	}
+	return nil, errors.New("no suitable password encoding system found")
+}

auth/hmac.go

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"context"
 	"crypto/hmac"
 	"crypto/sha256"
 	"encoding/base64"
@@ -83,7 +84,7 @@ func VerifyHMACLoginAndPassword(secret []byte, login, password string) bool {
 	return hmac.Equal(token.Signature[:], expectedMAC)
 }
 
-func (auth *HMACAuth) Validate(wr http.ResponseWriter, req *http.Request) (string, bool) {
+func (auth *HMACAuth) Validate(_ context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
 	hdr := req.Header.Get("Proxy-Authorization")
 	if hdr == "" {
 		requireBasicAuth(wr, req, auth.hiddenDomain)

auth/noauth.go

@@ -1,10 +1,13 @@
 package auth
 
-import "net/http"
+import (
+	"context"
+	"net/http"
+)
 
 type NoAuth struct{}
 
-func (_ NoAuth) Validate(wr http.ResponseWriter, req *http.Request) (string, bool) {
+func (_ NoAuth) Validate(_ context.Context, _ http.ResponseWriter, _ *http.Request) (string, bool) {
 	return "", true
 }
 

auth/redis.go

@@ -0,0 +1,110 @@
+package auth
+
+import (
+	"context"
+	"encoding/base64"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+
+	clog "github.com/SenseUnit/dumbproxy/log"
+
+	"github.com/redis/go-redis/v9"
+)
+
+type RedisAuth struct {
+	logger       *clog.CondLogger
+	hiddenDomain string
+	r            redis.Cmdable
+	keyPrefix    string
+}
+
+func NewRedisAuth(param_url *url.URL, cluster bool, logger *clog.CondLogger) (*RedisAuth, error) {
+	values, err := url.ParseQuery(param_url.RawQuery)
+	if err != nil {
+		return nil, err
+	}
+	auth := &RedisAuth{
+		logger:       logger,
+		hiddenDomain: strings.ToLower(values.Get("hidden_domain")),
+		keyPrefix:    values.Get("key_prefix"),
+	}
+	if cluster {
+		opts, err := redis.ParseClusterURL(values.Get("url"))
+		if err != nil {
+			return nil, err
+		}
+		auth.r = redis.NewClusterClient(opts)
+	} else {
+		opts, err := redis.ParseURL(values.Get("url"))
+		if err != nil {
+			return nil, err
+		}
+		auth.r = redis.NewClient(opts)
+	}
+	return auth, nil
+}
+
+func (auth *RedisAuth) Validate(ctx context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
+	hdr := req.Header.Get("Proxy-Authorization")
+	if hdr == "" {
+		requireBasicAuth(wr, req, auth.hiddenDomain)
+		return "", false
+	}
+	hdr_parts := strings.SplitN(hdr, " ", 2)
+	if len(hdr_parts) != 2 || strings.ToLower(hdr_parts[0]) != "basic" {
+		requireBasicAuth(wr, req, auth.hiddenDomain)
+		return "", false
+	}
+
+	token := hdr_parts[1]
+	data, err := base64.StdEncoding.DecodeString(token)
+	if err != nil {
+		requireBasicAuth(wr, req, auth.hiddenDomain)
+		return "", false
+	}
+
+	pair := strings.SplitN(string(data), ":", 2)
+	if len(pair) != 2 {
+		requireBasicAuth(wr, req, auth.hiddenDomain)
+		return "", false
+	}
+
+	login := pair[0]
+	password := pair[1]
+
+	encodedPasswd, err := auth.r.Get(ctx, auth.keyPrefix+login).Result()
+	if err != nil {
+		auth.logger.Debug("error fetching key %q from Redis: %v", auth.keyPrefix+login, err)
+		requireBasicAuth(wr, req, auth.hiddenDomain)
+		return "", false
+	}
+	matcher, err := makePasswdMatcher(encodedPasswd)
+	if err != nil {
+		auth.logger.Debug("can't create password matcher from Redis key %q: %v", auth.keyPrefix+login, err)
+		requireBasicAuth(wr, req, auth.hiddenDomain)
+		return "", false
+	}
+
+	if matcher.MatchesPassword(password) {
+		if auth.hiddenDomain != "" &&
+			(req.Host == auth.hiddenDomain || req.URL.Host == auth.hiddenDomain) {
+			wr.Header().Set("Content-Length", strconv.Itoa(len([]byte(AUTH_TRIGGERED_MSG))))
+			wr.Header().Set("Pragma", "no-cache")
+			wr.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+			wr.Header().Set("Expires", EPOCH_EXPIRE)
+			wr.Header()["Date"] = nil
+			wr.WriteHeader(http.StatusOK)
+			wr.Write([]byte(AUTH_TRIGGERED_MSG))
+			return "", false
+		} else {
+			return login, true
+		}
+	}
+	requireBasicAuth(wr, req, auth.hiddenDomain)
+	return "", false
+}
+
+func (auth *RedisAuth) Stop() {
+}

handler/handler.go

@@ -192,7 +192,8 @@ func (s *ProxyHandler) ServeHTTP(wr http.ResponseWriter, req *http.Request) {
 		return
 	}
 
-	username, ok := s.auth.Validate(wr, req)
+	ctx := req.Context()
+	username, ok := s.auth.Validate(ctx, wr, req)
 	localAddr := getLocalAddr(req.Context())
 	s.logger.Info("Request: %v => %v %q %v %v %v", req.RemoteAddr, localAddr, username, req.Proto, req.Method, req.URL)
 
@@ -208,7 +209,6 @@ func (s *ProxyHandler) ServeHTTP(wr http.ResponseWriter, req *http.Request) {
 			ipHints = &hintValues[0]
 		}
 	}
-	ctx := req.Context()
 	ctx = ddto.BoundDialerParamsToContext(ctx, ipHints, trimAddrPort(localAddr))
 	ctx = ddto.FilterParamsToContext(ctx, req, username)
 	req = req.WithContext(ctx)